[selinux-policy: 2976/3172] Use relabel permission sets where possible.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 23:24:56 UTC 2010 

commit 83029ff3c562353395850162a9ea9def25f4254f
Author: Dominick Grift <domg472 at gmail.com>
Date:   Wed Sep 15 14:57:02 2010 +0200

    Use relabel permission sets where possible.
    
    Signed-off-by: Dominick Grift <domg472 at gmail.com>

 policy/modules/admin/logrotate.te   |    2 +-
 policy/modules/admin/prelink.te     |    2 +-
 policy/modules/kernel/terminal.if   |    6 +++---
 policy/modules/services/lpd.if      |    2 +-
 policy/modules/services/puppet.te   |    8 ++++----
 policy/modules/services/rpc.if      |    2 +-
 policy/modules/services/virt.te     |    4 ++--
 policy/modules/system/authlogin.if  |    2 +-
 policy/modules/system/logging.if    |    4 ++--
 policy/modules/system/userdomain.if |    2 +-
 10 files changed, 17 insertions(+), 17 deletions(-)
---
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 23ef05f..dd4cd30 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -127,7 +127,7 @@ cron_search_spool(logrotate_t)
 mta_send_mail(logrotate_t)
 
 ifdef(`distro_debian', `
-	allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
+	allow logrotate_t logrotate_tmp_t:file relabel_file_perms;
 	# for savelog
 	can_exec(logrotate_t, logrotate_exec_t)
 
diff --git a/policy/modules/admin/prelink.te b/policy/modules/admin/prelink.te
index cdbadda..0faba2a 100644
--- a/policy/modules/admin/prelink.te
+++ b/policy/modules/admin/prelink.te
@@ -63,7 +63,7 @@ files_search_var_lib(prelink_t)
 
 # prelink misc objects that are not system
 # libraries or entrypoints
-allow prelink_t prelink_object:file { manage_file_perms execute relabelto relabelfrom };
+allow prelink_t prelink_object:file { manage_file_perms execute relabel_file_perms };
 
 kernel_read_system_state(prelink_t)
 kernel_read_kernel_sysctls(prelink_t)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index f9930a3..87a6942 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -336,7 +336,7 @@ interface(`term_relabel_console',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 console_device_t:chr_file { relabelfrom relabelto };
+	allow $1 console_device_t:chr_file relabel_chr_file_perms;
 ')
 
 ########################################
@@ -1118,7 +1118,7 @@ interface(`term_relabel_unallocated_ttys',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 tty_device_t:chr_file { relabelfrom relabelto };
+	allow $1 tty_device_t:chr_file relabel_chr_file_perms;
 ')
 
 ########################################
@@ -1300,7 +1300,7 @@ interface(`term_relabel_all_ttys',`
 	')
 
 	dev_list_all_dev_nodes($1)
-	allow $1 ttynode:chr_file { relabelfrom relabelto };
+	allow $1 ttynode:chr_file relabel_chr_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
index a4f32f5..d801ec0 100644
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
@@ -153,7 +153,7 @@ interface(`lpd_relabel_spool',`
 	')
 
 	files_search_spool($1)
-	allow $1 print_spool_t:file { relabelto relabelfrom };
+	allow $1 print_spool_t:file relabel_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/services/puppet.te b/policy/modules/services/puppet.te
index 3588ebb..9587224 100644
--- a/policy/modules/services/puppet.te
+++ b/policy/modules/services/puppet.te
@@ -179,21 +179,21 @@ read_files_pattern(puppetmaster_t, puppet_etc_t, puppet_etc_t)
 allow puppetmaster_t puppet_log_t:dir { rw_dir_perms setattr };
 allow puppetmaster_t puppet_log_t:file { rw_file_perms create setattr };
 logging_log_filetrans(puppetmaster_t, puppet_log_t, { file dir })
-allow puppetmaster_t puppet_log_t:file { relabelfrom relabelto };
+allow puppetmaster_t puppet_log_t:file relabel_file_perms;
 
 manage_dirs_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
 manage_files_pattern(puppetmaster_t, puppet_var_lib_t, puppet_var_lib_t)
-allow puppetmaster_t puppet_var_lib_t:dir { relabelfrom relabelto };
+allow puppetmaster_t puppet_var_lib_t:dir relabel_dir_perms;
 
 setattr_dirs_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
 manage_files_pattern(puppetmaster_t, puppet_var_run_t, puppet_var_run_t)
 files_pid_filetrans(puppetmaster_t, puppet_var_run_t, { file dir })
-allow puppetmaster_t puppet_var_run_t:dir { relabelfrom relabelto };
+allow puppetmaster_t puppet_var_run_t:dir relabel_dir_perms;
 
 manage_dirs_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
 manage_files_pattern(puppetmaster_t, puppetmaster_tmp_t, puppetmaster_tmp_t)
 files_tmp_filetrans(puppetmaster_t, puppetmaster_tmp_t, { file dir })
-allow puppetmaster_t puppet_tmp_t:dir { relabelfrom relabelto };
+allow puppetmaster_t puppet_tmp_t:dir relabel_dir_perms;
 
 kernel_dontaudit_search_kernel_sysctl(puppetmaster_t)
 kernel_read_system_state(puppetmaster_t)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index b0eac5b..b65be0c 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -434,5 +434,5 @@ interface(`rpc_manage_nfs_state_data',`
 
 	files_search_var_lib($1)
 	manage_files_pattern($1, var_lib_nfs_t, var_lib_nfs_t)
-	allow $1 var_lib_nfs_t:file { relabelfrom relabelto };
+	allow $1 var_lib_nfs_t:file relabel_file_perms;
 ')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index f38e1ce..5d16d55 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -238,8 +238,8 @@ filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
 manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
 manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
 manage_lnk_files_pattern(virtd_t, virt_image_type, virt_image_type)
-allow virtd_t virt_image_type:file { relabelfrom relabelto };
-allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
+allow virtd_t virt_image_type:file relabel_file_perms;
+allow virtd_t virt_image_type:blk_file relabel_blk_file_perms;
 
 manage_dirs_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
 manage_files_pattern(virtd_t, virt_tmp_t, virt_tmp_t)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index bd3185e..5819211 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -741,7 +741,7 @@ interface(`auth_relabel_shadow',`
 	')
 
 	files_search_etc($1)
-	allow $1 shadow_t:file { relabelfrom relabelto };
+	allow $1 shadow_t:file relabel_file_perms;
 	typeattribute $1 can_relabelto_shadow_passwords;
 ')
 
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index aa09d1c..453377e 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1033,8 +1033,8 @@ interface(`logging_admin_syslog',`
 	manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
 
 	logging_manage_all_logs($1)
-	allow $1 logfile:dir  { relabelfrom relabelto };
-	allow $1 logfile:file  { relabelfrom relabelto };
+	allow $1 logfile:dir relabel_dir_perms;
+	allow $1 logfile:file relabel_file_perms;
 
 	init_labeled_script_domtrans($1, syslogd_initrc_exec_t)
 	domain_system_change_exemption($1)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index c67c8e8..0a771a8 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1781,7 +1781,7 @@ interface(`userdom_relabel_user_home_files',`
 		type user_home_t;
 	')
 
-	allow $1 user_home_t:file { relabelto relabelfrom };
+	allow $1 user_home_t:file relabel_file_perms;
 ')
 
 ########################################

More information about the scm-commits mailing list